This page provides an overview of route exchange between hybrid spokes and Virtual Private Cloud (VPC) spokes in Network Connectivity Center.
Route exchange with VPC spokes lets you connect VPC spokes and hybrid spokes, such as Cloud Interconnect VLAN attachments, HA VPN tunnels, and Router appliance VMs on the same hub, which enables highly scalable any-to-any network connectivity between all such spokes attached to a single hub. A large number of on-premises locations and resources can connect with resources in Google Cloud spread across a large number of VPC networks globally. Hence, VMs and workloads in VPC spokes in any Google Cloud region can communicate with on-premises networks in any other Google Cloud region through VPC to hybrid spoke connectivity.
Workload VPC networks
A workload VPC network is a VPC network with workloads that a spoke administrator adds to a hub as a VPC spoke. A workload VPC network can be a standalone VPC network, or it can be a Shared VPC network. A workload VPC network can be located in either the same project as the Network Connectivity Center hub or a different project in the same or another organization.
Routing VPC networks
A routing VPC network is any designated VPC network that contains Cloud Interconnect VLAN attachments, HA VPN tunnels, or Router appliance VMs that you intend to add to a hub as hybrid spokes. The routing VPC network itself cannot be added to the hub as a VPC spoke in this case. Subnets of the routing VPC aren't exported to the hub. The hybrid attachments can, however, access these subnets because these are local to the VPC network.
Each routing VPC network—and the Cloud Interconnect VLAN attachments, HA VPN tunnels, or Router appliance VMs that use the routing VPC network—must be located in the same project as the Network Connectivity Center hub.
Routing and workload VPC network exclusivity
Routing VPC networks and workload VPC networks are mutually exclusive:
If a routing VPC network contains Cloud Interconnect VLAN attachments, HA VPN tunnels, or Router appliance VMs that are added as hybrid spokes to a Network Connectivity Center hub, you cannot add the routing VPC network to any hub as a VPC spoke.
If a workload VPC network is a VPC spoke on a hub, you cannot add Cloud Interconnect VLAN attachments, HA VPN tunnels, or Router appliance VMs located in the workload VPC network to any hub as hybrid spokes.
Establishing connectivity between hybrid spokes and VPC spokes
To establish connectivity between hybrid spokes and VPC spokes, you add workload VPC networks to a Network Connectivity Center hub as VPC spokes, then you add Cloud Interconnect VLAN attachments, HA VPN tunnels, or Router appliance VMs to the same hub as hybrid spokes. The Cloud Interconnect VLAN attachments, HA VPN tunnels, or Router appliance VMs in each hybrid spoke are also associated with one or more routing VPC networks, but the routing VPC networks themselves need not be added to the Network Connectivity Center hub as VPC spokes.
Route tables
The Network Connectivity Center hub route table lists all learned dynamic routes from on-premises networks and subnet routes that are reachable from the attached spoke networks through the Network Connectivity Center hub. Hub route tables are read-only resources, fully managed by Network Connectivity Center. For detailed information about how to view the hub route table, see View the hub route table and routes.
The hub route table is updated with appropriate route entries when the following events occur:
- VPC spoke creation or deletion
- Subnet creation or deletion in attached VPC spokes
- Hybrid spoke creation or deletion
- BGP route advertisement or withdrawal from attached hybrid spokes
Each VPC spoke also has a VPC network route table. Each VPC network route table lists all routes that are programmed in the VPC network. For steps to view the VPC route table, see View the VPC route table.
About connectivity between VPC spokes and hybrid spokes
To establish connectivity between hybrid spokes and VPC spokes, a hub administrator needs to perform the following steps in this order:
Spoke administrators attach workload VPC networks to the hub as VPC spokes. For steps to create a VPC spoke, see Create a VPC spoke.
Spoke administrators attach Cloud Interconnect VLAN attachments, HA VPN tunnels, or Router appliance VMs as hybrid spokes from routing VPC networks. For steps to create hybrid spokes, see Work with spokes.
You can make the routes from a VPC spoke network available to an on-premises network connected to your routing VPC network using Cloud VPN or Cloud Interconnect by doing one of the following:
- Set the
includeImportRanges
field to["ALL_IPV4_RANGES"]
in theLinkedVpnTunnels
orLinkedInterconnectAttachments
objects when creating or updating the Cloud VPN tunnel (gcloud example) or Cloud Interconnect attachment (gcloud example). - Advertise custom address ranges from Cloud Router in your routing VPC network to share routes to destinations in the on-premises network.
Use cases
This section lists the use cases for route exchange with VPC spokes.
On-premises connectivity for VPC spokes
VPC spokes can connect to on-premises networks by using hybrid spokes located in other (routing) VPC networks. Each Network Connectivity Center hub supports multiple VPC spokes and Cloud Interconnect VLAN attachments, HA VPN tunnels, or Router appliance VMs added as hybrid spokes. The following diagram shows an example hub with both VPC spokes and hybrid spokes.
Steering traffic over preferred routes with longest prefix match rule
When a less specific prefix is announced from an on-premises router, you can steer traffic off a route by specifying a more specific prefix across a VLAN attachment configured as a hybrid spoke. The more specific route (the longest prefix match) takes precedence over the less specific routes (the smallest prefix match).
For detailed information about route selection, see Routing order.
What's next
- To create hubs and spokes, see Work with hubs and spokes.
- To view a list of partners whose solutions are integrated with Network Connectivity Center, see Network Connectivity Center partners.
- To find solutions for common issues, see Troubleshooting.
- To get details about API and Google Cloud CLI commands, see APIs and reference.